1WIRESHARK(1)                                                      WIRESHARK(1)
2
3
4

NAME

6       wireshark - Interactively dump and analyze network traffic
7

SYNOPSIS

9       wireshark [ -i <capture interface>|- ] [ -f <capture filter> ]
10       [ -Y <display filter> ] [ -w <outfile> ] [ options ] [ <infile> ]
11

DESCRIPTION

13       Wireshark is a GUI network protocol analyzer. It lets you interactively
14       browse packet data from a live network or from a previously saved
15       capture file. Wireshark's native capture file formats are pcapng format
16       and pcap format; it can read and write both formats.. pcap format is
17       also the format used by tcpdump and various other tools; tcpdump, when
18       using newer verions of the libpcap library, can also read some pcapng
19       files, and, on newer versions of macOS, can read all pcapng files and
20       can write them as well.
21
22       Wireshark can also read / import the following file formats:
23
24       •   Oracle (previously Sun) snoop and atmsnoop captures
25
26       •   Finisar (previously Shomiti) Surveyor captures
27
28       •   Microsoft Network Monitor captures
29
30       •   Novell LANalyzer captures
31
32       •   AIX’s iptrace captures
33
34       •   Cinco Networks NetXRay captures
35
36       •   NETSCOUT (previously Network Associates/Network General)
37           Windows-based Sniffer captures
38
39       •   Network General/Network Associates DOS-based Sniffer captures
40           (compressed or uncompressed)
41
42       •   LiveAction (previously WildPackets/Savvius)
43           *Peek/EtherHelp/PacketGrabber captures
44
45RADCOM's WAN/LAN analyzer captures
46
47       •   Viavi (previously Network Instruments) Observer captures
48
49Lucent/Ascend router debug output
50
51       •   captures from HP-UX nettl
52
53Toshiba’s ISDN routers dump output
54
55       •   the output from i4btrace from the ISDN4BSD project
56
57       •   traces from the EyeSDN USB S0
58
59       •   the IPLog format output from the Cisco Secure Intrusion Detection
60           System
61
62pppd logs (pppdump format)
63
64       •   the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
65
66       •   the text output from the DBS Etherwatch VMS utility
67
68       •   Visual Networks' Visual UpTime traffic capture
69
70       •   the output from CoSine L2 debug
71
72       •   the output from InfoVista (previously Accellent) 5View LAN agents
73
74       •   Endace Measurement Systems' ERF format captures
75
76       •   Linux Bluez Bluetooth stack hcidump -w traces
77
78       •   Catapult DCT2000 .out files
79
80       •   Gammu generated text output from Nokia DCT3 phones in Netmonitor
81           mode
82
83       •   IBM Series (OS/400) Comm traces (ASCII & UNICODE)
84
85       •   Juniper Netscreen snoop files
86
87       •   Symbian OS btsnoop files
88
89       •   TamoSoft CommView files
90
91       •   Tektronix K12xx 32bit .rf5 format files
92
93       •   Tektronix K12 text file format captures
94
95       •   Apple PacketLogger files
96
97       •   Captures from Aethra Telecommunications' PC108 software for their
98           test instruments
99
100       •   Citrix NetScaler Trace files
101
102       •   Android Logcat binary and text format logs
103
104       •   Colasoft Capsa and PacketBuilder captures
105
106       •   Micropross mplog files
107
108       •   Unigraf DPA-400 DisplayPort AUX channel monitor traces
109
110       •   802.15.4 traces from Daintree’s Sensor Network Analyzer
111
112       •   MPEG-2 Transport Streams as defined in ISO/IEC 13818-1
113
114       •   Log files from the candump utility
115
116       •   Logs from the BUSMASTER tool
117
118       •   Ixia IxVeriWave raw captures
119
120       •   Rabbit Labs CAM Inspector files
121
122systemd journal files
123
124       •   3GPP TS 32.423 trace files
125
126       There is no need to tell Wireshark what type of file you are reading;
127       it will determine the file type by itself. Wireshark is also capable of
128       reading any of these file formats if they are compressed using gzip.
129       Wireshark recognizes this directly from the file; the '.gz' extension
130       is not required for this purpose.
131
132       Like other protocol analyzers, Wireshark's main window shows 3 views of
133       a packet. It shows a summary line, briefly describing what the packet
134       is. A packet details display is shown, allowing you to drill down to
135       exact protocol or field that you interested in. Finally, a hex dump
136       shows you exactly what the packet looks like when it goes over the
137       wire.
138
139       In addition, Wireshark has some features that make it unique. It can
140       assemble all the packets in a TCP conversation and show you the ASCII
141       (or EBCDIC, or hex) data in that conversation. Display filters in
142       Wireshark are very powerful; more fields are filterable in Wireshark
143       than in other protocol analyzers, and the syntax you can use to create
144       your filters is richer. As Wireshark progresses, expect more and more
145       protocol fields to be allowed in display filters.
146
147       Packet capturing is performed with the pcap library. The capture filter
148       syntax follows the rules of the pcap library. This syntax is different
149       from the display filter syntax.
150
151       Compressed file support uses (and therefore requires) the zlib library.
152       If the zlib library is not present, Wireshark will compile, but will be
153       unable to read compressed files.
154
155       The pathname of a capture file to be read can be specified with the -r
156       option or can be specified as a command-line argument.
157

OPTIONS

159       Most users will want to start Wireshark without options and configure
160       it from the menus instead. Those users may just skip this section.
161
162       -a|--autostop  <capture autostop condition>
163
164           Specify a criterion that specifies when Wireshark is to stop
165           writing to a capture file. The criterion is of the form test:value,
166           where test is one of:
167
168           duration:value Stop writing to a capture file after value seconds
169           have elapsed. Floating point values (e.g. 0.5) are allowed.
170
171           files:value Stop writing to capture files after value number of
172           files were written.
173
174           filesize:value Stop writing to a capture file after it reaches a
175           size of value kB. If this option is used together with the -b
176           option, Wireshark will stop writing to the current capture file and
177           switch to the next one if filesize is reached. Note that the
178           filesize is limited to a maximum value of 2 GiB.
179
180           packets:value Stop writing to a capture file after it contains
181           value packets. Acts the same as -c<capture packet count>.
182
183       -b|--ring-buffer  <capture ring buffer option>
184
185           Cause Wireshark to run in "multiple files" mode. In "multiple
186           files" mode, Wireshark will write to several capture files. When
187           the first capture file fills up, Wireshark will switch writing to
188           the next file and so on.
189
190           The created filenames are based on the filename given with the -w
191           flag, the number of the file and on the creation date and time,
192           e.g. outfile_00001_20230714120117.pcap,
193           outfile_00002_20230714120523.pcap, ...
194
195           With the files option it’s also possible to form a "ring buffer".
196           This will fill up new files until the number of files specified, at
197           which point Wireshark will discard the data in the first file and
198           start writing to that file and so on. If the files option is not
199           set, new files filled up until one of the capture stop conditions
200           match (or until the disk is full).
201
202           The criterion is of the form key:value, where key is one of:
203
204           duration:value switch to the next file after value seconds have
205           elapsed, even if the current file is not completely filled up.
206           Floating point values (e.g. 0.5) are allowed.
207
208           files:value begin again with the first file after value number of
209           files were written (form a ring buffer). This value must be less
210           than 100000. Caution should be used when using large numbers of
211           files: some filesystems do not handle many files in a single
212           directory well. The files criterion requires one of the other
213           criteria to be specified to control when to go to the next file. It
214           should be noted that each -b parameter takes exactly one criterion;
215           to specify two criteria, each must be preceded by the -b option.
216
217           filesize:value switch to the next file after it reaches a size of
218           value kB. Note that the filesize is limited to a maximum value of 2
219           GiB.
220
221           interval:value switch to the next file when the time is an exact
222           multiple of value seconds.
223
224           packets:value switch to the next file after it contains value
225           packets.
226
227           Example: -b filesize:1000 -b files:5 results in a ring buffer of
228           five files of size one megabyte each.
229
230       -B|--buffer-size  <capture buffer size>
231
232           Set capture buffer size (in MiB, default is 2 MiB). This is used by
233           the capture driver to buffer packet data until that data can be
234           written to disk. If you encounter packet drops while capturing, try
235           to increase this size. Note that, while Wireshark attempts to set
236           the buffer size to 2 MiB by default, and can be told to set it to a
237           larger value, the system or interface on which you’re capturing
238           might silently limit the capture buffer size to a lower value or
239           raise it to a higher value.
240
241           This is available on UNIX systems with libpcap 1.0.0 or later and
242           on Windows. It is not available on UNIX systems with earlier
243           versions of libpcap.
244
245           This option can occur multiple times. If used before the first
246           occurrence of the -i option, it sets the default capture buffer
247           size. If used after an -i option, it sets the capture buffer size
248           for the interface specified by the last -i option occurring before
249           this option. If the capture buffer size is not set specifically,
250           the default capture buffer size is used instead.
251
252       -c  <capture packet count>
253
254           Set the maximum number of packets to read when capturing live data.
255           Acts the same as -a packets:<capture packet count>.
256
257       -C  <configuration profile>
258
259           Start with the given configuration profile.
260
261       --capture-comment <comment>
262
263           When performing a capture file from the command line, with the -k
264           flag, add a capture comment to the output file, if supported by the
265           capture format.
266
267           This option may be specified multiple times. Note that Wireshark
268           currently only displays the first comment of a capture file.
269
270       -d  <layer type>==<selector>,<decode-as protocol>
271
272           Like Wireshark’s Decode As... feature, this lets you specify how a
273           layer type should be dissected. If the layer type in question (for
274           example, tcp.port or udp.port for a TCP or UDP port number) has the
275           specified selector value, packets should be dissected as the
276           specified protocol.
277
278           Example: -d tcp.port==8888,http will decode any traffic running
279           over TCP port 8888 as HTTP.
280
281           See the tshark(1) manual page for more examples.
282
283       -D|--list-interfaces
284
285           Print a list of the interfaces on which Wireshark can capture, and
286           exit. For each network interface, a number and an interface name,
287           possibly followed by a text description of the interface, is
288           printed. The interface name or the number can be supplied to the -i
289           flag to specify an interface on which to capture.
290
291           This can be useful on systems that don’t have a command to list
292           them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
293           link show). The number can be useful on Windows systems, where the
294           interface name might be a long name or a GUID.
295
296           Note that "can capture" means that Wireshark was able to open that
297           device to do a live capture; if, on your system, a program doing a
298           network capture must be run from an account with special privileges
299           (for example, as root), then, if Wireshark is run with the -D flag
300           and is not run from such an account, it will not list any
301           interfaces.
302
303       --display <X display to use>
304
305           Specifies the X display to use. A hostname and screen
306           (otherhost:0.0) or just a screen (:0.0) can be specified. This
307           option is not available under Windows.
308
309       --disable-protocol <proto_name>
310
311           Disable dissection of proto_name.
312
313       --disable-heuristic <short_name>
314
315           Disable dissection of heuristic protocol.
316
317       --enable-protocol <proto_name>
318
319           Enable dissection of proto_name.
320
321       --enable-heuristic <short_name>
322
323           Enable dissection of heuristic protocol.
324
325       -f  <capture filter>
326
327           Set the capture filter expression.
328
329           This option can occur multiple times. If used before the first
330           occurrence of the -i option, it sets the default capture filter
331           expression. If used after an -i option, it sets the capture filter
332           expression for the interface specified by the last -i option
333           occurring before this option. If the capture filter expression is
334           not set specifically, the default capture filter expression is used
335           if provided.
336
337           Pre-defined capture filter names, as shown in the GUI menu item
338           Capture→Capture Filters, can be used by prefixing the argument with
339           "predef:". Example: -f "predef:MyPredefinedHostOnlyFilter"
340
341       --fullscreen
342
343           Start Wireshark in full screen mode (kiosk mode). To exit from
344           fullscreen mode, open the View menu and select the Full Screen
345           option. Alternatively, press the F11 key (or Ctrl + Cmd + F for
346           macOS).
347
348       -g  <packet number>
349
350           After reading in a capture file using the -r flag, go to the given
351           packet number.
352
353       -h|--help
354
355           Print the version number and options and exit.
356
357       -H
358
359           Hide the capture info dialog during live packet capture.
360
361       -i|--interface  <capture interface>|-
362
363           Set the name of the network interface or pipe to use for live
364           packet capture.
365
366           Network interface names should match one of the names listed in
367           "wireshark -D" (described above); a number, as reported by
368           "wireshark -D", can also be used. If you’re using UNIX, "netstat
369           -i", "ifconfig -a" or "ip link" might also work to list interface
370           names, although not all versions of UNIX support the -a option to
371           ifconfig.
372
373           If no interface is specified, Wireshark searches the list of
374           interfaces, choosing the first non-loopback interface if there are
375           any non-loopback interfaces, and choosing the first loopback
376           interface if there are no non-loopback interfaces. If there are no
377           interfaces at all, Wireshark reports an error and doesn’t start the
378           capture.
379
380           Pipe names should be either the name of a FIFO (named pipe) or "-"
381           to read data from the standard input. On Windows systems, pipe
382           names must be of the form "\\.\pipe\pipename". Data read from pipes
383           must be in standard pcapng or pcap format. Pcapng data must have
384           the same endianness as the capturing host.
385
386           "TCP@<host>:<port>" causes Wireshark to attempt to connect to the
387           specified port on the specified host and read pcapng or pcap data.
388
389           This option can occur multiple times. When capturing from multiple
390           interfaces, the capture file will be saved in pcapng format.
391
392       -I|--monitor-mode
393
394           Put the interface in "monitor mode"; this is supported only on IEEE
395           802.11 Wi-Fi interfaces, and supported only on some operating
396           systems.
397
398           Note that in monitor mode the adapter might disassociate from the
399           network with which it’s associated, so that you will not be able to
400           use any wireless networks with that adapter. This could prevent
401           accessing files on a network server, or resolving host names or
402           network addresses, if you are capturing in monitor mode and are not
403           connected to another network with another adapter.
404
405           This option can occur multiple times. If used before the first
406           occurrence of the -i option, it enables the monitor mode for all
407           interfaces. If used after an -i option, it enables the monitor mode
408           for the interface specified by the last -i option occurring before
409           this option.
410
411       -j
412
413           Use after -J to change the behavior when no exact match is found
414           for the filter. With this option select the first packet before.
415
416       -J  <jump filter>
417
418           After reading in a capture file using the -r flag, jump to the
419           packet matching the filter (display filter syntax). If no exact
420           match is found the first packet after that is selected.
421
422       -k
423
424           Start the capture session immediately. If the -i flag was
425           specified, the capture uses the specified interface. Otherwise,
426           Wireshark searches the list of interfaces, choosing the first
427           non-loopback interface if there are any non-loopback interfaces,
428           and choosing the first loopback interface if there are no
429           non-loopback interfaces; if there are no interfaces, Wireshark
430           reports an error and doesn’t start the capture.
431
432       -K  <keytab>
433
434           Load kerberos crypto keys from the specified keytab file. This
435           option can be used multiple times to load keys from several files.
436
437           Example: -K krb5.keytab
438
439       -l
440
441           Turn on automatic scrolling if the packet display is being updated
442           automatically as packets arrive during a capture (as specified by
443           the -S flag).
444
445       -L|--list-data-link-types
446
447           List the data link types supported by the interface and exit.
448
449       --list-time-stamp-types
450
451           List time stamp types supported for the interface. If no time stamp
452           type can be set, no time stamp types are listed.
453
454       -n
455
456           Disable network object name resolution (such as hostname, TCP and
457           UDP port names), the -N flag might override this one.
458
459       -N  <name resolving flags>
460
461           Turn on name resolving only for particular types of addresses and
462           port numbers, with name resolving for other types of addresses and
463           port numbers turned off. This flag overrides -n if both -N and -n
464           are present. If both -N and -n flags are not present, all name
465           resolutions are turned on.
466
467           The argument is a string that may contain the letters:
468
469           m to enable MAC address resolution
470
471           n to enable network address resolution
472
473           N to enable using external resolvers (e.g., DNS) for network
474           address resolution
475
476           t to enable transport-layer port number resolution
477
478           d to enable resolution from captured DNS packets
479
480           v to enable VLAN IDs to names resolution
481
482       -o  <preference/recent setting>
483
484           Set a preference or recent value, overriding the default value and
485           any value read from a preference/recent file. The argument to the
486           flag is a string of the form prefname:value, where prefname is the
487           name of the preference/recent value (which is the same name that
488           would appear in the preference/recent file), and value is the value
489           to which it should be set. Since Ethereal 0.10.12, the recent
490           settings replaces the formerly used -B, -P and -T flags to
491           manipulate the GUI dimensions.
492
493           If prefname is "uat", you can override settings in various user
494           access tables using the form "uat:uat filename:uat record". uat
495           filename must be the name of a UAT file, e.g. user_dlts. uat_record
496           must be in the form of a valid record for that file, including
497           quotes. For instance, to specify a user DLT from the command line,
498           you would use
499
500               -o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""
501
502       -p|--no-promiscuous-mode
503
504           Don’t put the interface into promiscuous mode. Note that the
505           interface might be in promiscuous mode for some other reason;
506           hence, -p cannot be used to ensure that the only traffic that is
507           captured is traffic sent to or from the machine on which Wireshark
508           is running, broadcast traffic, and multicast traffic to addresses
509           received by that machine.
510
511           This option can occur multiple times. If used before the first
512           occurrence of the -i option, no interface will be put into the
513           promiscuous mode. If used after an -i option, the interface
514           specified by the last -i option occurring before this option will
515           not be put into the promiscuous mode.
516
517       -P <path setting>
518
519           Special path settings usually detected automatically. This is used
520           for special cases, e.g. starting Wireshark from a known location on
521           an USB stick.
522
523           The criterion is of the form key:path, where key is one of:
524
525           persconf:path path of personal configuration files, like the
526           preferences files.
527
528           persdata:path path of personal data files, it’s the folder
529           initially opened. After the very first initialization, the recent
530           file will keep the folder last used.
531
532       -r|--read-file  <infile>
533
534           Read packet data from infile, can be any supported capture file
535           format (including gzipped files). It’s not possible to use named
536           pipes or stdin here! To capture from a pipe or from stdin use -i -
537
538       -R|--read-filter  <read (display) filter>
539
540           When reading a capture file specified with the -r flag, causes the
541           specified filter (which uses the syntax of display filters, rather
542           than that of capture filters) to be applied to all packets read
543           from the capture file; packets not matching the filter are
544           discarded.
545
546       -s|--snapshot-length  <capture snaplen>
547
548           Set the default snapshot length to use when capturing live data. No
549           more than snaplen bytes of each network packet will be read into
550           memory, or saved to disk. A value of 0 specifies a snapshot length
551           of 262144, so that the full packet is captured; this is the
552           default.
553
554           This option can occur multiple times. If used before the first
555           occurrence of the -i option, it sets the default snapshot length.
556           If used after an -i option, it sets the snapshot length for the
557           interface specified by the last -i option occurring before this
558           option. If the snapshot length is not set specifically, the default
559           snapshot length is used if provided.
560
561       -S
562
563           Automatically update the packet display as packets are coming in.
564
565       -t  a|ad|adoy|d|dd|e|r|u|ud|udoy
566
567           Set the format of the packet timestamp displayed in the packet list
568           window. The format can be one of:
569
570           a absolute: The absolute time, as local time in your time zone, is
571           the actual time the packet was captured, with no date displayed
572
573           ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
574           and time, as local time in your time zone, is the actual time and
575           date the packet was captured
576
577           adoy absolute with date using day of year: The absolute date,
578           displayed as YYYY/DOY, and time, as local time in your time zone,
579           is the actual time and date the packet was captured
580
581           d delta: The delta time is the time since the previous packet was
582           captured
583
584           dd delta_displayed: The delta_displayed time is the time since the
585           previous displayed packet was captured
586
587           e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
588
589           r relative: The relative time is the time elapsed between the first
590           packet and the current packet
591
592           u UTC: The absolute time, as UTC, is the actual time the packet was
593           captured, with no date displayed
594
595           ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
596           time, as UTC, is the actual time and date the packet was captured
597
598           udoy UTC with date using day of year: The absolute date, displayed
599           as YYYY/DOY, and time, as UTC, is the actual time and date the
600           packet was captured
601
602           The default format is relative.
603
604       --temp-dir <directory>
605
606           Specifies the directory into which temporary files (including
607           capture files) are to be written. The default behaviour is to use
608           your system’s temporary directory (typically /tmp on Linux, and
609           C:\\Temp on Windows).
610
611       --time-stamp-type <type>
612
613           Change the interface’s timestamp method. See
614           --list-time-stamp-types.
615
616       -u <s|hms>
617
618           Output format of seconds (def: s: seconds)
619
620       -v|--version
621
622           Print the full version information and exit.
623
624       -w  <outfile>
625
626           Set the default capture file name, or '-' for standard output.
627
628       -X <eXtension options>
629
630           Specify an option to be passed to an Wireshark module. The
631           eXtension option is in the form extension_key:value, where
632           extension_key can be:
633
634           lua_script:lua_script_filename tells Wireshark to load the given
635           script in addition to the default Lua scripts.
636
637           lua_scriptnum:argument tells Wireshark to pass the given argument
638           to the lua script identified by 'num', which is the number indexed
639           order of the 'lua_script' command. For example, if only one script
640           was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
641           will pass the string 'foo' to the 'my.lua' script. If two scripts
642           were loaded, such as '-X lua_script:my.lua' and '-X
643           lua_script:other.lua' in that order, then a '-X lua_script2:bar'
644           would pass the string 'bar' to the second lua script, namely
645           'other.lua'.
646
647           read_format:file_format tells Wireshark to use the given file
648           format to read in the file (the file given in the -r command
649           option).
650
651           stdin_descr:description tells Wireshark to use the given
652           description when capturing from standard input (-i -).
653
654       -y|--linktype  <capture link type>
655
656           If a capture is started from the command line with -k, set the data
657           link type to use while capturing packets. The values reported by -L
658           are the values that can be used.
659
660           This option can occur multiple times. If used before the first
661           occurrence of the -i option, it sets the default capture link type.
662           If used after an -i option, it sets the capture link type for the
663           interface specified by the last -i option occurring before this
664           option. If the capture link type is not set specifically, the
665           default capture link type is used if provided.
666
667       -Y|--display-filter  <displaY filter>
668
669           Start with the given display filter.
670
671       -z  <statistics>
672
673           Get Wireshark to collect various types of statistics and display
674           the result in a window that updates in semi-real time.
675
676           Some of the currently implemented statistics are:
677
678       -z help
679
680           Display all possible values for -z.
681
682       -z afp,srt[,filter]
683
684           Show Apple Filing Protocol service response time statistics.
685
686       -z conv,type[,filter]
687
688           Create a table that lists all conversations that could be seen in
689           the capture. type specifies the conversation endpoint types for
690           which we want to generate the statistics; currently the supported
691           ones are:
692
693               "eth"   Ethernet addresses
694               "fc"    Fibre Channel addresses
695               "fddi"  FDDI addresses
696               "ip"    IPv4 addresses
697               "ipv6"  IPv6 addresses
698               "ipx"   IPX addresses
699               "tcp"   TCP/IP socket pairs   Both IPv4 and IPv6 are supported
700               "tr"    Token Ring addresses
701               "udp"   UDP/IP socket pairs   Both IPv4 and IPv6 are supported
702
703           If the optional filter is specified, only those packets that match
704           the filter will be used in the calculations.
705
706           The table is presented with one line for each conversation and
707           displays the number of packets/bytes in each direction as well as
708           the total number of packets/bytes. By default, the table is sorted
709           according to the total number of packets.
710
711           These tables can also be generated at runtime by selecting the
712           appropriate conversation type from the menu
713           "Tools/Statistics/Conversation List/".
714
715       -z dcerpc,srt,name-or-uuid,major.minor[,filter]
716
717           Collect call/reply SRT (Service Response Time) data for DCERPC
718           interface name or uuid, version major.minor. Data collected is the
719           number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
720           Interface name and uuid are case-insensitive.
721
722           Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
723           will collect data for the CIFS SAMR Interface.
724
725           This option can be used multiple times on the command line.
726
727           If the optional filter  is provided, the stats will only be
728           calculated on those calls that match that filter.
729
730           Example: -z
731           dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
732           will collect SAMR SRT statistics for a specific host.
733
734       -z dhcp,stat[,filter]
735
736           Show DHCP (BOOTP) statistics.
737
738       -z expert
739
740           Show expert information.
741
742       -z fc,srt[,filter]
743
744           Collect call/reply SRT (Service Response Time) data for FC. Data
745           collected is the number of calls for each Fibre Channel command,
746           MinSRT, MaxSRT and AvgSRT.
747
748           Example: -z fc,srt will calculate the Service Response Time as the
749           time delta between the First packet of the exchange and the Last
750           packet of the exchange.
751
752           The data will be presented as separate tables for all normal FC
753           commands, Only those commands that are seen in the capture will
754           have its stats displayed.
755
756           This option can be used multiple times on the command line.
757
758           If the optional filter is provided, the stats will only be
759           calculated on those calls that match that filter.
760
761           Example: -z "fc,srt,fc.id==01.02.03" will collect stats only for FC
762           packets exchanged by the host at FC address 01.02.03 .
763
764       -z h225,counter[,filter]
765
766           Count ITU-T H.225 messages and their reasons. In the first column
767           you get a list of H.225 messages and H.225 message reasons which
768           occur in the current capture file. The number of occurrences of
769           each message or reason is displayed in the second column.
770
771           Example: -z h225,counter
772
773           This option can be used multiple times on the command line.
774
775           If the optional filter is provided, the stats will only be
776           calculated on those calls that match that filter.
777
778           Example: -z "h225,counter,ip.addr==1.2.3.4" will collect stats only
779           for H.225 packets exchanged by the host at IP address 1.2.3.4 .
780
781       -z h225,srt[,filter]
782
783           Collect request/response SRT (Service Response Time) data for ITU-T
784           H.225 RAS. Data collected is the number of calls of each ITU-T
785           H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT,
786           Minimum in Packet, and Maximum in Packet. You will also get the
787           number of Open Requests (Unresponded Requests), Discarded Responses
788           (Responses without matching request) and Duplicate Messages.
789
790           Example: -z h225,srt
791
792           This option can be used multiple times on the command line.
793
794           If the optional filter is provided, the stats will only be
795           calculated on those calls that match that filter.
796
797           Example: -z "h225,srt,ip.addr==1.2.3.4" will collect stats only for
798           ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4
799           .
800
801       -z io,stat
802
803           Collect packet/bytes statistics for the capture in intervals of 1
804           second. This option will open a window with up to 5 color-coded
805           graphs where number-of-packets-per-second or
806           number-of-bytes-per-second statistics can be calculated and
807           displayed.
808
809           This option can be used multiple times on the command line.
810
811           This graph window can also be opened from the
812           Analyze:Statistics:Traffic:IO-Stat menu item.
813
814       -z ldap,srt[,filter]
815
816           Collect call/reply SRT (Service Response Time) data for LDAP. Data
817           collected is the number of calls for each implemented LDAP command,
818           MinSRT, MaxSRT and AvgSRT.
819
820           Example: -z ldap,srt will calculate the Service Response Time as
821           the time delta between the Request and the Response.
822
823           The data will be presented as separate tables for all implemented
824           LDAP commands, Only those commands that are seen in the capture
825           will have its stats displayed.
826
827           This option can be used multiple times on the command line.
828
829           If the optional filter is provided, the stats will only be
830           calculated on those calls that match that filter.
831
832           Example: use -z "ldap,srt,ip.addr==10.1.1.1" will collect stats
833           only for LDAP packets exchanged by the host at IP address 10.1.1.1
834           .
835
836           The only LDAP commands that are currently implemented and for which
837           the stats will be available are: BIND SEARCH MODIFY ADD DELETE
838           MODRDN COMPARE EXTENDED
839
840       -z megaco,srt[,filter]
841
842           Collect request/response SRT (Service Response Time) data for
843           MEGACO. (This is similar to -z smb,srt). Data collected is the
844           number of calls for each known MEGACO Command, Minimum SRT, Maximum
845           SRT and Average SRT.
846
847           Example: -z megaco,srt
848
849           This option can be used multiple times on the command line.
850
851           If the optional filter is provided, the stats will only be
852           calculated on those calls that match that filter.
853
854           Example: -z "megaco,srt,ip.addr==1.2.3.4" will collect stats only
855           for MEGACO packets exchanged by the host at IP address 1.2.3.4 .
856
857       -z mgcp,srt[,filter]
858
859           Collect request/response SRT (Service Response Time) data for MGCP.
860           (This is similar to -z smb,srt). Data collected is the number of
861           calls for each known MGCP Type, Minimum SRT, Maximum SRT and
862           Average SRT.
863
864           Example: -z mgcp,srt
865
866           This option can be used multiple times on the command line.
867
868           If the optional filter is provided, the stats will only be
869           calculated on those calls that match that filter.
870
871           Example: -z "mgcp,srt,ip.addr==1.2.3.4" will collect stats only for
872           MGCP packets exchanged by the host at IP address 1.2.3.4 .
873
874       -z mtp3,msus[,<filter>]
875
876           Show MTP3 MSU statistics.
877
878       -z multicast,stat[,<filter>]
879
880           Show UDP multicast stream statistics.
881
882       -z rpc,programs
883
884           Collect call/reply SRT data for all known ONC-RPC
885           programs/versions. Data collected is the number of calls for each
886           protocol/version, MinSRT, MaxSRT and AvgSRT.
887
888       -z rpc,srt,name-or-number,version[,<filter>]
889
890           Collect call/reply SRT (Service Response Time) data for program
891           name/version or number/version. Data collected is the number of
892           calls for each procedure, MinSRT, MaxSRT and AvgSRT. Program name
893           is case-insensitive.
894
895           Example: -z rpc,srt,100003,3 will collect data for NFS v3.
896
897           This option can be used multiple times on the command line.
898
899           If the optional filter is provided, the stats will only be
900           calculated on those calls that match that filter.
901
902           Example: -z rpc,srt,nfs,3,nfs.fh.hash==0x12345678 will collect NFS
903           v3 SRT statistics for a specific file.
904
905       -z scsi,srt,cmdset[,<filter>]
906
907           Collect call/reply SRT (Service Response Time) data for SCSI
908           commandset <cmdset>.
909
910           Commandsets are 0:SBC   1:SSC  5:MMC
911
912           Data collected is the number of calls for each procedure, MinSRT,
913           MaxSRT and AvgSRT.
914
915           Example: -z scsi,srt,0 will collect data for SCSI BLOCK COMMANDS
916           (SBC).
917
918           This option can be used multiple times on the command line.
919
920           If the optional filter is provided, the stats will only be
921           calculated on those calls that match that filter.
922
923           Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC SRT
924           statistics for a specific iscsi/ifcp/fcip host.
925
926       -z sip,stat[,filter]
927
928           This option will activate a counter for SIP messages. You will get
929           the number of occurrences of each SIP Method and of each SIP
930           Status-Code. Additionally you also get the number of resent SIP
931           Messages (only for SIP over UDP).
932
933           Example: -z sip,stat
934
935           This option can be used multiple times on the command line.
936
937           If the optional filter is provided, the stats will only be
938           calculated on those calls that match that filter.
939
940           Example: -z "sip,stat,ip.addr==1.2.3.4" will collect stats only for
941           SIP packets exchanged by the host at IP address 1.2.3.4 .
942
943       -z smb,srt[,filter]
944
945           Collect call/reply SRT (Service Response Time) data for SMB. Data
946           collected is the number of calls for each SMB command, MinSRT,
947           MaxSRT and AvgSRT.
948
949           Example: -z smb,srt
950
951           The data will be presented as separate tables for all normal SMB
952           commands, all Transaction2 commands and all NT Transaction
953           commands. Only those commands that are seen in the capture will
954           have their stats displayed. Only the first command in a xAndX
955           command chain will be used in the calculation. So for common
956           SessionSetupAndX + TreeConnectAndX chains, only the
957           SessionSetupAndX call will be used in the statistics. This is a
958           flaw that might be fixed in the future.
959
960           This option can be used multiple times on the command line.
961
962           If the optional filter is provided, the stats will only be
963           calculated on those calls that match that filter.
964
965           Example: -z "smb,srt,ip.addr==1.2.3.4" will collect stats only for
966           SMB packets exchanged by the host at IP address 1.2.3.4 .
967
968       -z voip,calls
969
970           This option will show a window that shows VoIP calls found in the
971           capture file. This is the same window shown as when you go to the
972           Statistics Menu and choose VoIP Calls.
973
974           Example: -z voip,calls
975
976       -z wlan,stat[,<filter>]
977
978           Show IEEE 802.11 network and station statistics.
979
980       -z wsp,stat[,<filter>]
981
982           Show WSP packet counters.
983

DIAGNOSTIC OPTIONS

985       --log-level <level>
986           Set the active log level. Supported levels in lowest to highest
987           order are "noisy", "debug", "info", "message", "warning",
988           "critical", and "error". Messages at each level and higher will be
989           printed, for example "warning" prints "warning", "critical", and
990           "error" messages and "noisy" prints all messages. Levels are case
991           insensitive.
992
993       --log-fatal <level>
994           Abort the program if any messages are logged at the specified level
995           or higher. For example, "warning" aborts on any "warning",
996           "critical", or "error" messages.
997
998       --log-domains <list>
999           Only print messages for the specified log domains, e.g.
1000           "GUI,Epan,sshdump". List of domains must be comma-separated.
1001
1002       --log-debug <list>
1003           Force the specified domains to log at the "debug" level. List of
1004           domains must be comma-separated.
1005
1006       --log-noisy <list>
1007           Force the specified domains to log at the "noisy" level. List of
1008           domains must be comma-separated.
1009
1010       --log-file <path>
1011           Write log messages and stderr output to the specified file.
1012

INTERFACE

1014   MENU ITEMS
1015       File  Open, File  Open Recent, File  Merge
1016
1017           Merge another capture file to the currently loaded one. The
1018           File:Merge dialog box allows the merge "Prepended",
1019           "Chronologically" or "Appended", relative to the already loaded
1020           one.
1021
1022       File  Close
1023
1024           Open or close a capture file. The File:Open dialog box allows a
1025           filter to be specified; when the capture file is read, the filter
1026           is applied to all packets read from the file, and packets not
1027           matching the filter are discarded. The File:Open Recent is a
1028           submenu and will show a list of previously opened files.
1029
1030       File  Save, File  Save As
1031
1032           Save the current capture, or the packets currently displayed from
1033           that capture, to a file. Check boxes let you select whether to save
1034           all packets, or just those that have passed the current display
1035           filter and/or those that are currently marked, and an option menu
1036           lets you select (from a list of file formats in which at particular
1037           capture, or the packets currently displayed from that capture, can
1038           be saved), a file format in which to save it.
1039
1040       FileFile SetList Files
1041
1042           Show a dialog box that lists all files of the file set matching the
1043           currently loaded file. A file set is a compound of files resulting
1044           from a capture using the "multiple files" / "ringbuffer" mode,
1045           recognizable by the filename pattern, e.g.:
1046           Filename_00001_20230714101530.pcap.
1047
1048       FileFile SetNext File, FileFile SetPrevious File
1049
1050           If the currently loaded file is part of a file set (see above),
1051           open the next / previous file in that set.
1052
1053       File  Export
1054
1055           Export captured data into an external format. Note: the data cannot
1056           be imported back into Wireshark, so be sure to keep the capture
1057           file.
1058
1059       File  Print
1060
1061           Print packet data from the current capture. You can select the
1062           range of packets to be printed (which packets are printed), and the
1063           output format of each packet (how each packet is printed). The
1064           output format will be similar to the displayed values, so a summary
1065           line, the packet details view, and/or the hex dump of the packet
1066           can be printed.
1067
1068           Printing options can be set with the Edit:Preferences menu item, or
1069           in the dialog box popped up by this menu item.
1070
1071       File  Quit
1072           Exit the application.
1073
1074       EditCopyDescription
1075           Copies the description of the selected field in the protocol tree
1076           to the clipboard.
1077
1078       EditCopyFieldname
1079           Copies the fieldname of the selected field in the protocol tree to
1080           the clipboard.
1081
1082       EditCopyValue
1083           Copies the value of the selected field in the protocol tree to the
1084           clipboard.
1085
1086       EditCopyAs Filter
1087
1088           Create a display filter based on the data currently highlighted in
1089           the packet details and copy that filter to the clipboard.
1090
1091           If that data is a field that can be tested in a display filter
1092           expression, the display filter will test that field; otherwise, the
1093           display filter will be based on the absolute offset within the
1094           packet. Therefore it could be unreliable if the packet contains
1095           protocols with variable-length headers, such as a source-routed
1096           token-ring packet.
1097
1098       Edit  Find Packet
1099
1100           Search forward or backward, starting with the currently selected
1101           packet (or the most recently selected packet, if no packet is
1102           selected). Search criteria can be a display filter expression, a
1103           string of hexadecimal digits, or a text string.
1104
1105           When searching for a text string, you can search the packet data,
1106           or you can search the text in the Info column in the packet list
1107           pane or in the packet details pane.
1108
1109           Hexadecimal digits can be separated by colons, periods, or dashes.
1110           Text string searches can be ASCII or Unicode (or both), and may be
1111           case insensitive.
1112
1113       Edit  Find Next, Edit  Find Previous
1114
1115           Search forward / backward for a packet matching the filter from the
1116           previous search, starting with the currently selected packet (or
1117           the most recently selected packet, if no packet is selected).
1118
1119       Edit  Mark Packet (toggle)
1120
1121           Mark (or unmark if currently marked) the selected packet. The field
1122           "frame.marked" is set for packets that are marked, so that, for
1123           example, a display filters can be used to display only marked
1124           packets, and so that the /"Edit:Find Packet" dialog can be used to
1125           find the next or previous marked packet.
1126
1127       Edit  Find Next Mark, Edit  Find Previous Mark
1128           Find next or previous marked packet.
1129
1130       Edit  Mark All Packets, Edit  Unmark All Packets
1131           Mark or unmark all packets that are currently displayed.
1132
1133       EditTime ReferenceSet Time Reference (toggle)
1134
1135           Set (or unset if currently set) the selected packet as a Time
1136           Reference packet. When a packet is set as a Time Reference packet,
1137           the timestamps in the packet list pane will be replaced with the
1138           string "REF". The relative time timestamp in later packets will
1139           then be calculated relative to the timestamp of this Time Reference
1140           packet and not the first packet in the capture.
1141
1142           Packets that have been selected as Time Reference packets will
1143           always be displayed in the packet list pane. Display filters will
1144           not affect or hide these packets.
1145
1146           If there is a column displayed for "Cumulative Bytes" this counter
1147           will be reset at every Time Reference packet.
1148
1149       EditTime ReferenceFind Next, EditTime ReferenceFind
1150       Previous
1151           Search forward or backward for a time referenced packet.
1152
1153       Edit  Configuration Profiles
1154           Manage configuration profiles to be able to use more than one set
1155           of preferences and configurations.
1156
1157       Edit  Preferences
1158           Set the GUI, capture, printing and protocol options (see
1159           /Preferences dialog below).
1160
1161       View  Main Toolbar, View  Filter Toolbar, View  Statusbar
1162           Show or hide the main window controls.
1163
1164       View  Packet List, View  Packet Details, View  Packet Bytes
1165           Show or hide the main window panes.
1166
1167       View  Time Display Format
1168           Set the format of the packet timestamp displayed in the packet list
1169           window.
1170
1171       ViewName ResolutionResolve Name
1172           Try to resolve a name for the currently selected item.
1173
1174       ViewName ResolutionEnable for ... Layer
1175           Enable or disable translation of addresses to names in the display.
1176
1177       View  Colorize Packet List
1178           Enable or disable the coloring rules. Disabling will improve
1179           performance.
1180
1181       View  Auto Scroll in Live Capture
1182           Enable or disable the automatic scrolling of the packet list while
1183           a live capture is in progress.
1184
1185       View  Zoom In, View  Zoom Out
1186           Zoom into or out of the main window data (by changing the font
1187           size).
1188
1189       View  Normal Size
1190           Reset the zoom level back to normal font size.
1191
1192       View  Resize All Columns
1193           Resize all columns to best fit the current packet display.
1194
1195       View  Expand / Collapse Subtrees
1196           Expand or collapse the currently selected item and its subtrees in
1197           the packet details.
1198
1199       View  Expand All, View  Collapse All
1200           Expand or Collapse all branches of the packet details.
1201
1202       View  Colorize Conversation
1203           Select a color for a conversation.
1204
1205       View  Reset Coloring 1-10
1206           Reset a color for a conversation.
1207
1208       View  Coloring Rules
1209
1210           Change the foreground and background colors of the packet
1211           information in the list of packets, based upon display filters. The
1212           list of display filters is applied to each packet sequentially.
1213           After the first display filter matches a packet, any additional
1214           display filters in the list are ignored. Therefore, if you are
1215           filtering on the existence of protocols, you should list the
1216           higher-level protocols first, and the lower-level protocols last.
1217
1218       How Colorization Works
1219
1220           Packets are colored according to a list of color filters. Each
1221           filter consists of a name, a filter expression and a coloration. A
1222           packet is colored according to the first filter that it matches.
1223           Color filter expressions use exactly the same syntax as display
1224           filter expressions.
1225
1226           When Wireshark starts, the color filters are loaded from:
1227
1228            1. The user’s personal color filters file or, if that does not
1229               exist,
1230
1231            2. The global color filters file.
1232
1233           If neither of these exist then the packets will not be colored.
1234
1235       View  Show Packet In New Window
1236
1237           Create a new window containing a packet details view and a hex dump
1238           window of the currently selected packet; this window will continue
1239           to display that packet’s details and data even if another packet is
1240           selected.
1241
1242       View  Reload
1243           Reload a capture file. Same as File:Close and File:Open the same
1244           file again.
1245
1246       Go  Back
1247           Go back in previously visited packets history.
1248
1249       Go  Forward
1250           Go forward in previously visited packets history.
1251
1252       Go  Go To Packet
1253           Go to a particular numbered packet.
1254
1255       Go  Go To Corresponding Packet
1256
1257           If a field in the packet details pane containing a packet number is
1258           selected, go to the packet number specified by that field. (This
1259           works only if the dissector that put that entry into the packet
1260           details put it into the details as a filterable field rather than
1261           just as text.) This can be used, for example, to go to the packet
1262           for the request corresponding to a reply, or the reply
1263           corresponding to a request, if that packet number has been put into
1264           the packet details.
1265
1266       Go  Previous Packet, Go  Next Packet, Go  First Packet, Go  Last
1267       Packet
1268           Go to the previous, next, first, or last packet in the capture.
1269
1270       Go  Previous Packet In Conversation, Go  Next Packet In Conversation
1271           Go to the previous or next packet of the TCP, UDP or IP
1272           conversation.
1273
1274       Capture  Interfaces
1275
1276           Shows a dialog box with all currently known interfaces and
1277           displaying the current network traffic amount. Capture sessions can
1278           be started from here. Beware: keeping this box open results in high
1279           system load!
1280
1281       Capture  Options
1282
1283           Initiate a live packet capture (see /"Capture Options Dialog"
1284           below). If no filename is specified, a temporary file will be
1285           created to hold the capture. The location of the file can be chosen
1286           by setting your TMPDIR environment variable before starting
1287           Wireshark. Otherwise, the default TMPDIR location is
1288           system-dependent, but is likely either /var/tmp or /tmp.
1289
1290       Capture  Start
1291
1292           Start a live packet capture with the previously selected options.
1293           This won’t open the options dialog box, and can be convenient for
1294           repeatedly capturing with the same options.
1295
1296       Capture  Stop
1297           Stop a running live capture.
1298
1299       Capture  Restart
1300
1301           While a live capture is running, stop it and restart with the same
1302           options again. This can be convenient to remove irrelevant packets,
1303           if no valuable packets were captured so far.
1304
1305       Capture  Capture Filters
1306           Edit the saved list of capture filters, allowing filters to be
1307           added, changed, or deleted.
1308
1309       Analyze  Display Filters
1310           Edit the saved list of display filters, allowing filters to be
1311           added, changed, or deleted.
1312
1313       Analyze  Display Filter Macros
1314           Create shortcuts for complex macros.
1315
1316       Analyze  Apply as Filter
1317
1318           Create a display filter based on the data currently highlighted in
1319           the packet details and apply the filter.
1320
1321           If that data is a field that can be tested in a display filter
1322           expression, the display filter will test that field; otherwise, the
1323           display filter will be based on the absolute offset within the
1324           packet. Therefore it could be unreliable if the packet contains
1325           protocols with variable-length headers, such as a source-routed
1326           token-ring packet.
1327
1328           The Selected option creates a display filter that tests for a match
1329           of the data; the Not Selected option creates a display filter that
1330           tests for a non-match of the data. The And Selected, Or Selected,
1331           And Not Selected, and Or Not Selected options add to the end of the
1332           display filter in the strip at the top (or bottom) an AND or OR
1333           operator followed by the new display filter expression.
1334
1335       Analyze  Prepare as Filter
1336
1337           Create a display filter based on the data currently highlighted in
1338           the packet details. The filter strip at the top (or bottom) is
1339           updated but it is not yet applied.
1340
1341       Analyze  Enabled Protocols
1342
1343           Allow protocol dissection to be enabled or disabled for a specific
1344           protocol. Individual protocols can be enabled or disabled by
1345           clicking on them in the list or by highlighting them and pressing
1346           the space bar. The entire list can be enabled, disabled, or
1347           inverted using the buttons below the list.
1348
1349           When a protocol is disabled, dissection in a particular packet
1350           stops when that protocol is reached, and Wireshark moves on to the
1351           next packet. Any higher-layer protocols that would otherwise have
1352           been processed will not be displayed. For example, disabling TCP
1353           will prevent the dissection and display of TCP, HTTP, SMTP, Telnet,
1354           and any other protocol exclusively dependent on TCP.
1355
1356           The list of protocols can be saved, so that Wireshark will start up
1357           with the protocols in that list disabled.
1358
1359       Analyze  Decode As
1360
1361           If you have a packet selected, present a dialog allowing you to
1362           change which dissectors are used to decode this packet. The dialog
1363           has one panel each for the link layer, network layer and transport
1364           layer protocol/port numbers, and will allow each of these to be
1365           changed independently. For example, if the selected packet is a TCP
1366           packet to port 12345, using this dialog you can instruct Wireshark
1367           to decode all packets to or from that TCP port as HTTP packets.
1368
1369       Analyze  User Specified Decodes
1370
1371           Create a new window showing whether any protocol ID to dissector
1372           mappings have been changed by the user. This window also allows the
1373           user to reset all decodes to their default values.
1374
1375       Analyze  Follow TCP Stream
1376
1377           If you have a TCP packet selected, display the contents of the data
1378           stream for the TCP connection to which that packet belongs, as
1379           text, in a separate window, and leave the list of packets in a
1380           filtered state, with only those packets that are part of that TCP
1381           connection being displayed. You can revert to your old view by
1382           pressing ENTER in the display filter text box, thereby invoking
1383           your old display filter (or resetting it back to no display
1384           filter).
1385
1386           The window in which the data stream is displayed lets you select:
1387
1388           •   whether to display the entire conversation, or one or the other
1389               side of it;
1390
1391           •   whether the data being displayed is to be treated as ASCII or
1392               EBCDIC text or as raw hex data;
1393
1394           and lets you print what’s currently being displayed, using the same
1395           print options that are used for the File:Print Packet menu item, or
1396           save it as text to a file.
1397
1398       Analyze  Follow UDP Stream, Analyze  Follow TLS Stream
1399           Similar to Analyze:Follow TCP Stream.
1400
1401       Analyze  Expert Info, Analyze  Expert Info Composite
1402           Show anomalies found by Wireshark in a capture file.
1403
1404       Analyze  Conversation Filter, Statistics  Summary
1405
1406           Show summary information about the capture, including elapsed time,
1407           packet counts, byte counts, and the like. If a display filter is in
1408           effect, summary information will be shown about the capture and
1409           about the packets currently being displayed.
1410
1411       Statistics  Protocol Hierarchy
1412
1413           Show the number of packets, and the number of bytes in those
1414           packets, for each protocol in the trace. It organizes the protocols
1415           in the same hierarchy in which they were found in the trace.
1416           Besides counting the packets in which the protocol exists, a count
1417           is also made for packets in which the protocol is the last protocol
1418           in the stack. These last-protocol counts show you how many packets
1419           (and the byte count associated with those packets) ended in a
1420           particular protocol. In the table, they are listed under "End
1421           Packets" and "End Bytes".
1422
1423       Statistics  Conversations
1424           Lists of conversations; selectable by protocol. See
1425           Statistics:Conversation List below.
1426
1427       Statistics  End Points
1428           List of End Point Addresses by protocol with packets, bytes, and
1429           other counts.
1430
1431       Statistics  Packet Lengths
1432           Grouped counts of packet lengths (0-19 bytes, 20-39 bytes, ...)
1433
1434       Statistics  I/O Graphs
1435
1436           Open a window where up to 5 graphs in different colors can be
1437           displayed to indicate number of packets or number of bytes per
1438           second for all packets matching the specified filter. By default
1439           only one graph will be displayed showing number of packets per
1440           second.
1441
1442           The top part of the window contains the graphs and scales for the X
1443           and Y axis. If the graph is too long to fit inside the window there
1444           is a horizontal scrollbar below the drawing area that can scroll
1445           the graphs to the left or the right. The horizontal axis displays
1446           the time into the capture and the vertical axis will display the
1447           measured quantity at that time.
1448
1449           Below the drawing area and the scrollbar are the controls. On the
1450           bottom left there will be five similar sets of controls to control
1451           each individual graph such as "Display:<button>" which button will
1452           toggle that individual graph on/off. If <button> is ticked, the
1453           graph will be displayed. "Color:<color>" which is just a button to
1454           show which color will be used to draw that graph. Finally
1455           "Filter:<filter-text>" which can be used to specify a display
1456           filter for that particular graph.
1457
1458           If filter-text is empty then all packets will be used to calculate
1459           the quantity for that graph. If filter-text is specified only those
1460           packets that match that display filter will be considered in the
1461           calculation of quantity.
1462
1463           To the right of the 5 graph controls there are four menus to
1464           control global aspects of the draw area and graphs. The "Unit:"
1465           menu is used to control what to measure; "packets/tick",
1466           "bytes/tick" or "advanced..."
1467
1468           packets/tick will measure the number of packets matching the (if
1469           specified) display filter for the graph in each measurement
1470           interval.
1471
1472           bytes/tick will measure the total number of bytes in all packets
1473           matching the (if specified) display filter for the graph in each
1474           measurement interval.
1475
1476           advanced... see below
1477
1478           "Tick interval:" specifies what measurement intervals to use. The
1479           default is 1 second and means that the data will be counted over 1
1480           second intervals.
1481
1482           "Pixels per tick:" specifies how many pixels wide each measurement
1483           interval will be in the drawing area. The default is 5 pixels per
1484           tick.
1485
1486           "Y-scale:" controls the max value for the y-axis. Default value is
1487           "auto" which means that Wireshark will try to adjust the maxvalue
1488           automatically.
1489
1490           "advanced..." If Unit:advanced... is selected the window will
1491           display two more controls for each of the five graphs. One control
1492           will be a menu where the type of calculation can be selected from
1493           SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the
1494           name of a single display filter field can be specified.
1495
1496           The following restrictions apply to type and field combinations:
1497
1498           SUM: available for all types of integers and will calculate the SUM
1499           of all occurrences of this field in the measurement interval. Note
1500           that some field can occur multiple times in the same packet and
1501           then all instances will be summed up. Example: 'tcp.len' which will
1502           count the amount of payload data transferred across TCP in each
1503           interval.
1504
1505           COUNT: available for all field types. This will COUNT the number of
1506           times certain field occurs in each interval. Note that some fields
1507           may occur multiple times in each packet and if that is the case
1508           then each instance will be counted independently and COUNT will be
1509           greater than the number of packets.
1510
1511           MAX: available for all integer and relative time fields. This will
1512           calculate the max seen integer/time value seen for the field during
1513           the interval. Example: 'smb.time' which will plot the maximum SMB
1514           response time.
1515
1516           MIN: available for all integer and relative time fields. This will
1517           calculate the min seen integer/time value seen for the field during
1518           the interval. Example: 'smb.time' which will plot the minimum SMB
1519           response time.
1520
1521           AVG: available for all integer and relative time fields.This will
1522           calculate the average seen integer/time value seen for the field
1523           during the interval. Example: 'smb.time' which will plot the
1524           average SMB response time.
1525
1526           LOAD: available only for relative time fields (response times).
1527
1528           Example of advanced: Display how NFS response time MAX/MIN/AVG
1529           changes over time:
1530
1531           Set first graph to:
1532
1533               filter:nfs&&rpc.time
1534               Calc:MAX rpc.time
1535
1536           Set second graph to
1537
1538               filter:nfs&&rpc.time
1539               Calc:AVG rpc.time
1540
1541           Set third graph to
1542
1543               filter:nfs&&rpc.time
1544               Calc:MIN rpc.time
1545
1546           Example of advanced: Display how the average packet size from host
1547           a.b.c.d changes over time.
1548
1549           Set first graph to
1550
1551               filter:ip.addr==a.b.c.d&&frame.pkt_len
1552               Calc:AVG frame.pkt_len
1553
1554           LOAD: The LOAD io-stat type is very different from anything you
1555           have ever seen before! While the response times themselves as
1556           plotted by MIN,MAX,AVG are indications on the Server load (which
1557           affects the Server response time), the LOAD measurement measures
1558           the Client LOAD. What this measures is how much workload the client
1559           generates, i.e. how fast will the client issue new commands when
1560           the previous ones completed. i.e. the level of concurrency the
1561           client can maintain. The higher the number, the more and faster is
1562           the client issuing new commands. When the LOAD goes down, it may be
1563           due to client load making the client slower in issuing new commands
1564           (there may be other reasons as well, maybe the client just doesn’t
1565           have any commands it wants to issue right then).
1566
1567           Load is measured in concurrency/number of overlapping i/o and the
1568           value 1000 means there is a constant load of one i/o.
1569
1570           In each tick interval the amount of overlap is measured. See the
1571           graph below containing three commands: Below the graph are the LOAD
1572           values for each interval that would be calculated.
1573
1574               |     |     |     |     |     |     |     |     |
1575               |     |     |     |     |     |     |     |     |
1576               |     |  o=====*  |     |     |     |     |     |
1577               |     |     |     |     |     |     |     |     |
1578               |  o========*     | o============*  |     |     |
1579               |     |     |     |     |     |     |     |     |
1580               --------------------------------------------------> Time
1581                500   1500   500  750   1000   500    0     0
1582
1583       Statistics  Conversation List
1584
1585           This option will open a new window that displays a list of all
1586           conversations between two endpoints. The list has one row for each
1587           unique conversation and displays total number of packets/bytes seen
1588           as well as number of packets/bytes in each direction.
1589
1590           By default the list is sorted according to the number of packets
1591           but by clicking on the column header; it is possible to re-sort the
1592           list in ascending or descending order by any column.
1593
1594           By first selecting a conversation by clicking on it and then using
1595           the right mouse button (on those platforms that have a right mouse
1596           button) Wireshark will display a popup menu offering several
1597           different filter operations to apply to the capture.
1598
1599           These statistics windows can also be invoked from the Wireshark
1600           command line using the -z conv argument.
1601
1602       Statistics  Service Response Time
1603
1604           •   AFP
1605
1606           •   CAMEL
1607
1608           •   DCE-RPC
1609
1610           Open a window to display Service Response Time statistics for an
1611           arbitrary DCE-RPC program interface and display Procedure, Number
1612           of Calls, Minimum SRT, Maximum SRT and Average SRT for all
1613           procedures for that program/version. These windows opened will
1614           update in semi-real time to reflect changes when doing live
1615           captures or when reading new capture files into Wireshark.
1616
1617           This dialog will also allow an optional filter string to be used.
1618           If an optional filter string is used only such DCE-RPC
1619           request/response pairs that match that filter will be used to
1620           calculate the statistics. If no filter string is specified all
1621           request/response pairs will be used.
1622
1623           •   Diameter
1624
1625           •   Fibre Channel
1626
1627           Open a window to display Service Response Time statistics for Fibre
1628           Channel and display FC Type, Number of Calls, Minimum SRT, Maximum
1629           SRT and Average SRT for all FC types. These windows opened will
1630           update in semi-real time to reflect changes when doing live
1631           captures or when reading new capture files into Wireshark. The
1632           Service Response Time is calculated as the time delta between the
1633           First packet of the exchange and the Last packet of the exchange.
1634
1635           This dialog will also allow an optional filter string to be used.
1636           If an optional filter string is used only such FC first/last
1637           exchange pairs that match that filter will be used to calculate the
1638           statistics. If no filter string is specified all request/response
1639           pairs will be used.
1640
1641           •   GTP
1642
1643           •   H.225 RAS
1644
1645           Collect requests/response SRT (Service Response Time) data for
1646           ITU-T H.225 RAS. Data collected is number of calls for each known
1647           ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average
1648           SRT, Minimum in Packet, and Maximum in Packet. You will also get
1649           the number of Open Requests (Unresponded Requests), Discarded
1650           Responses (Responses without matching request) and Duplicate
1651           Messages. These windows opened will update in semi-real time to
1652           reflect changes when doing live captures or when reading new
1653           capture files into Wireshark.
1654
1655           You can apply an optional filter string in a dialog box, before
1656           starting the calculation. The statistics will only be calculated on
1657           those calls matching that filter.
1658
1659           •   LDAP
1660
1661           •   MEGACO
1662
1663           •   MGCP
1664
1665           Collect requests/response SRT (Service Response Time) data for
1666           MGCP. Data collected is number of calls for each known MGCP Type,
1667           Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and
1668           Maximum in Packet. These windows opened will update in semi-real
1669           time to reflect changes when doing live captures or when reading
1670           new capture files into Wireshark.
1671
1672           You can apply an optional filter string in a dialog box, before
1673           starting the calculation. The statistics will only be calculated on
1674           those calls matching that filter.
1675
1676           •   NCP
1677
1678           •   ONC-RPC
1679
1680           Open a window to display statistics for an arbitrary ONC-RPC
1681           program interface and display Procedure, Number of Calls, Minimum
1682           SRT, Maximum SRT and Average SRT for all procedures for that
1683           program/version. These windows opened will update in semi-real time
1684           to reflect changes when doing live captures or when reading new
1685           capture files into Wireshark.
1686
1687           This dialog will also allow an optional filter string to be used.
1688           If an optional filter string is used only such ONC-RPC
1689           request/response pairs that match that filter will be used to
1690           calculate the statistics. If no filter string is specified all
1691           request/response pairs will be used.
1692
1693           By first selecting a conversation by clicking on it and then using
1694           the right mouse button (on those platforms that have a right mouse
1695           button) Wireshark will display a popup menu offering several
1696           different filter operations to apply to the capture.
1697
1698           •   RADIUS
1699
1700           •   SCSI
1701
1702           •   SMB
1703
1704           Collect call/reply SRT (Service Response Time) data for SMB. Data
1705           collected is the number of calls for each SMB command, MinSRT,
1706           MaxSRT and AvgSRT.
1707
1708           The data will be presented as separate tables for all normal SMB
1709           commands, all Transaction2 commands and all NT Transaction
1710           commands. Only those commands that are seen in the capture will
1711           have its stats displayed. Only the first command in a xAndX command
1712           chain will be used in the calculation. So for common
1713           SessionSetupAndX + TreeConnectAndX chains, only the
1714           SessionSetupAndX call will be used in the statistics. This is a
1715           flaw that might be fixed in the future.
1716
1717           You can apply an optional filter string in a dialog box, before
1718           starting the calculation. The stats will only be calculated on
1719           those calls matching that filter.
1720
1721           By first selecting a conversation by clicking on it and then using
1722           the right mouse button (on those platforms that have a right mouse
1723           button) Wireshark will display a popup menu offering several
1724           different filter operations to apply to the capture.
1725
1726           •   SMB2
1727
1728       Statistics  BOOTP-DHCP
1729           Show DHCP statistics.
1730
1731       Statistics  Compare
1732           Compare two capture files.
1733
1734       Statistics  Flow Graph
1735           Show protocol flows.
1736
1737       Statistics  HTTP
1738           HTTP Load Distribution, Packet Counter & Requests.
1739
1740       Statistics  IP Addresses
1741           Count, Rate, and Percent by IP Address.
1742
1743       Statistics  IP Destinations
1744           Count, Rate, and Percent by IP Address, protocol, and port.
1745
1746       Statistics  IP Protocol Types
1747           Count, Rate, and Percent by IP Protocol Types.
1748
1749       Statistics  ONC-RPC Programs
1750           This dialog will open a window showing aggregated SRT statistics
1751           for all ONC-RPC Programs/versions that exist in the capture file.
1752
1753       Statistics  TCP Stream Graph
1754           Show Round Trip, Throughput, Time-Sequence (Stevens), or
1755           Time-Sequence (tcptrace) graphs.
1756
1757       Statistics  UDP Multicast streams
1758           Multicast Streams counts, rates, and other statistics by source and
1759           destination address and port pairs.
1760
1761       Statistics  WLAN Traffic
1762           WLAN Traffic Statistics.
1763
1764       Telephony  ITU-T H.225
1765
1766           Count ITU-T H.225 messages and their reasons. In the first column
1767           you get a list of H.225 messages and H.225 message reasons, which
1768           occur in the current capture file. The number of occurrences of
1769           each message or reason will be displayed in the second column. This
1770           window opened will update in semi-real time to reflect changes when
1771           doing live captures or when reading new capture files into
1772           Wireshark.
1773
1774           You can apply an optional filter string in a dialog box, before
1775           starting the counter. The statistics will only be calculated on
1776           those calls matching that filter.
1777
1778       Telephony  SIP
1779
1780           Activate a counter for SIP messages. You will get the number of
1781           occurrences of each SIP Method and of each SIP Status-Code.
1782           Additionally you also get the number of resent SIP Messages (only
1783           for SIP over UDP).
1784
1785           This window opened will update in semi-real time to reflect changes
1786           when doing live captures or when reading new capture files into
1787           Wireshark.
1788
1789           You can apply an optional filter string in a dialog box, before
1790           starting the counter. The statistics will only be calculated on
1791           those calls matching that filter.
1792
1793       Tools  Firewall ACL Rules
1794           Generate firewall rules for a selected packet.
1795
1796       Help  Contents
1797           Display the User’s Guide.
1798
1799       Help  Supported Protocols
1800           List of supported protocols and display filter protocol fields.
1801
1802       Help  Manual Pages
1803           Display locally installed HTML versions of these manual pages in a
1804           web browser.
1805
1806       Help  Wireshark Online
1807           Various links to online resources to be open in a web browser, like
1808           https://www.wireshark.org.
1809
1810       Help  About Wireshark
1811           See various information about Wireshark (see /About dialog below),
1812           like the version, the folders used, the available plugins, ...
1813
1814   WINDOWS
1815       Main Window
1816
1817           The main window contains the usual things like the menu, some
1818           toolbars, the main area and a statusbar. The main area is split
1819           into three panes, you can resize each pane using a "thumb" at the
1820           right end of each divider line.
1821
1822           The main window is much more flexible than before. The layout of
1823           the main window can be customized by the Layout page in the dialog
1824           box popped up by Edit:Preferences, the following will describe the
1825           layout with the default settings.
1826
1827       Main Toolbar
1828
1829           Some menu items are available for quick access here. There is no
1830           way to customize the items in the toolbar, however the toolbar can
1831           be hidden by View:Main Toolbar.
1832
1833       Filter Toolbar
1834
1835           A display filter can be entered into the filter toolbar. A filter
1836           for HTTP, HTTPS, and DNS traffic might look like this:
1837
1838               tcp.port in {80 443 53}
1839
1840           Selecting the Filter: button lets you choose from a list of named
1841           filters that you can optionally save. Pressing the Return or Enter
1842           keys, or selecting the Apply button, will cause the filter to be
1843           applied to the current list of packets. Selecting the Reset button
1844           clears the display filter so that all packets are displayed
1845           (again).
1846
1847           There is no way to customize the items in the toolbar, however the
1848           toolbar can be hidden by View:Filter Toolbar.
1849
1850       Packet List Pane
1851
1852           The top pane contains the list of network packets that you can
1853           scroll through and select. By default, the packet number, packet
1854           timestamp, source and destination addresses, protocol, and
1855           description are displayed for each packet; the Columns page in the
1856           dialog box popped up by Edit:Preferences lets you change this
1857           (although, unfortunately, you currently have to save the
1858           preferences, and exit and restart Wireshark, for those changes to
1859           take effect).
1860
1861           If you click on the heading for a column, the display will be
1862           sorted by that column; clicking on the heading again will reverse
1863           the sort order for that column.
1864
1865           An effort is made to display information as high up the protocol
1866           stack as possible, e.g. IP addresses are displayed for IP packets,
1867           but the MAC layer address is displayed for unknown packet types.
1868
1869           The right mouse button can be used to pop up a menu of operations.
1870
1871           The middle mouse button can be used to mark a packet.
1872
1873       Packet Details Pane
1874
1875           The middle pane contains a display of the details of the
1876           currently-selected packet. The display shows each field and its
1877           value in each protocol header in the stack. The right mouse button
1878           can be used to pop up a menu of operations.
1879
1880       Packet Bytes Pane
1881
1882           The lowest pane contains a hex and ASCII dump of the actual packet
1883           data. Selecting a field in the packet details highlights the
1884           corresponding bytes in this section.
1885
1886           The right mouse button can be used to pop up a menu of operations.
1887
1888       Statusbar
1889
1890           The statusbar is divided into three parts, on the left some context
1891           dependent things are shown, like information about the loaded file,
1892           in the center the number of packets are displayed, and on the right
1893           the current configuration profile.
1894
1895           The statusbar can be hidden by View:Statusbar.
1896
1897       Preferences
1898           Adjust the behavior of Wireshark.
1899
1900       User Interface Preferences
1901           Modify the UI to your own personal tastes.
1902
1903       Selection Bars
1904
1905           The selection bar in the packet list and packet details can have
1906           either a "browse" or "select" behavior. If the selection bar has a
1907           "browse" behavior, the arrow keys will move an outline of the
1908           selection bar, allowing you to browse the rest of the list or
1909           details without changing the selection until you press the space
1910           bar. If the selection bar has a "select" behavior, the arrow keys
1911           will move the selection bar and change the selection to the new
1912           item in the packet list or packet details.
1913
1914       Save Window Position
1915
1916           If this item is selected, the position of the main Wireshark window
1917           will be saved when Wireshark exits, and used when Wireshark is
1918           started again.
1919
1920       Save Window Size
1921
1922           If this item is selected, the size of the main Wireshark window
1923           will be saved when Wireshark exits, and used when Wireshark is
1924           started again.
1925
1926       Save Window Maximized state
1927
1928           If this item is selected the maximize state of the main Wireshark
1929           window will be saved when Wireshark exists, and used when Wireshark
1930           is started again.
1931
1932       File Open Dialog Behavior
1933
1934           This item allows the user to select how Wireshark handles the
1935           listing of the "File Open" Dialog when opening trace files.
1936           "Remember Last Directory" causes Wireshark to automatically
1937           position the dialog in the directory of the most recently opened
1938           file, even between launches of Wireshark. "Always Open in
1939           Directory" allows the user to define a persistent directory that
1940           the dialog will always default to.
1941
1942       Directory
1943
1944           Allows the user to specify a persistent File Open directory.
1945           Trailing slashes or backslashes will automatically be added.
1946
1947       File Open Preview timeout
1948
1949           This items allows the user to define how much time is spend reading
1950           the capture file to present preview data in the File Open dialog.
1951
1952       Open Recent maximum list entries
1953
1954           The File menu supports a recent file list. This items allows the
1955           user to specify how many files are kept track of in this list.
1956
1957       Ask for unsaved capture files
1958
1959           When closing a capture file or Wireshark itself if the file isn’t
1960           saved yet the user is presented the option to save the file when
1961           this item is set.
1962
1963       Wrap during find
1964
1965           This items determines the behavior when reaching the beginning or
1966           the end of a capture file. When set the search wraps around and
1967           continues, otherwise it stops.
1968
1969       Settings dialogs show a save button
1970
1971           This item determines if the various dialogs sport an explicit Save
1972           button or that save is implicit in OK / Apply.
1973
1974       Web browser command
1975
1976           This entry specifies the command line to launch a web browser. It
1977           is used to access online content, like the Wiki and user guide. Use
1978           '%s' to place the request URL in the command line.
1979
1980       Layout Preferences
1981
1982           The Layout page lets you specify the general layout of the main
1983           window. You can choose from six different layouts and fill the
1984           three panes with the contents you like.
1985
1986       Scrollbars
1987
1988           The vertical scrollbars in the three panes can be set to be either
1989           on the left or the right.
1990
1991       Alternating row colors, Hex Display
1992
1993           The highlight method in the hex dump display for the selected
1994           protocol item can be set to use either inverse video, or bold
1995           characters.
1996
1997       Toolbar style, Filter toolbar placement, Custom window title, Column
1998       Preferences
1999
2000           The Columns page lets you specify the number, title, and format of
2001           each column in the packet list.
2002
2003           The Column title entry is used to specify the title of the column
2004           displayed at the top of the packet list. The type of data that the
2005           column displays can be specified using the Column format option
2006           menu. The row of buttons on the left perform the following actions:
2007
2008       New
2009           Adds a new column to the list.
2010
2011       Delete
2012           Deletes the currently selected list item.
2013
2014       Up / Down
2015           Moves the selected list item up or down one position.
2016
2017       Font Preferences
2018           The Font page lets you select the font to be used for most text.
2019
2020       Color Preferences
2021
2022           The Colors page can be used to change the color of the text
2023           displayed in the TCP stream window and for marked packets. To
2024           change a color, simply select an attribute from the "Set:" menu and
2025           use the color selector to get the desired color. The new text
2026           colors are displayed as a sample text.
2027
2028       Capture Preferences
2029
2030           The Capture page lets you specify various parameters for capturing
2031           live packet data; these are used the first time a capture is
2032           started.
2033
2034           The Interface: combo box lets you specify the interface from which
2035           to capture packet data, or the name of a FIFO from which to get the
2036           packet data.
2037
2038           The Data link type: option menu lets you, for some interfaces,
2039           select the data link header you want to see on the packets you
2040           capture. For example, in some OSes and with some versions of
2041           libpcap, you can choose, on an 802.11 interface, whether the
2042           packets should appear as Ethernet packets (with a fake Ethernet
2043           header) or as 802.11 packets.
2044
2045           The Limit each packet to ... bytes check box lets you set the
2046           snapshot length to use when capturing live data; turn on the check
2047           box, and then set the number of bytes to use as the snapshot
2048           length.
2049
2050           The Filter: text entry lets you set a capture filter expression to
2051           be used when capturing.
2052
2053           If any of the environment variables SSH_CONNECTION, SSH_CLIENT,
2054           REMOTEHOST, DISPLAY, or SESSIONNAME are set, Wireshark will create
2055           a default capture filter that excludes traffic from the hosts and
2056           ports defined in those variables.
2057
2058           The Capture packets in promiscuous mode check box lets you specify
2059           whether to put the interface in promiscuous mode when capturing.
2060
2061           The Update list of packets in real time check box lets you specify
2062           that the display should be updated as packets are seen.
2063
2064           The Automatic scrolling in live capture check box lets you specify
2065           whether, in an "Update list of packets in real time" capture, the
2066           packet list pane should automatically scroll to show the most
2067           recently captured packets.
2068
2069       Printing Preferences
2070
2071           The radio buttons at the top of the Printing page allow you choose
2072           between printing packets with the File:Print Packet menu item as
2073           text or PostScript, and sending the output directly to a command or
2074           saving it to a file. The Command: text entry box, on
2075           UNIX-compatible systems, is the command to send files to (usually
2076           lpr), and the File: entry box lets you enter the name of the file
2077           you wish to save to. Additionally, you can select the File: button
2078           to browse the file system for a particular save file.
2079
2080       Name Resolution Preferences
2081
2082           The Enable MAC name resolution, Enable network name resolution and
2083           Enable transport name resolution check boxes let you specify
2084           whether MAC addresses, network addresses, and transport-layer port
2085           numbers should be translated to names.
2086
2087           The Enable concurrent DNS name resolution allows Wireshark to send
2088           out multiple name resolution requests and not wait for the result
2089           before continuing dissection. This speeds up dissection with
2090           network name resolution but initially may miss resolutions. The
2091           number of concurrent requests can be set here as well.
2092
2093           SMI paths
2094
2095           SMI modules
2096
2097       RTP Player Preferences
2098
2099           This page allows you to select the number of channels visible in
2100           the RTP player window. It determines the height of the window, more
2101           channels are possible and visible by means of a scroll bar.
2102
2103       Protocol Preferences
2104
2105           There are also pages for various protocols that Wireshark dissects,
2106           controlling the way Wireshark handles those protocols.
2107
2108       Edit Capture Filter List, Edit Display Filter List, Capture Filter,
2109       Display Filter, Read Filter, Search Filter
2110
2111           The Edit Capture Filter List dialog lets you create, modify, and
2112           delete capture filters, and the Edit Display Filter List dialog
2113           lets you create, modify, and delete display filters.
2114
2115           The Capture Filter dialog lets you do all of the editing operations
2116           listed, and also lets you choose or construct a filter to be used
2117           when capturing packets.
2118
2119           The Display Filter dialog lets you do all of the editing operations
2120           listed, and also lets you choose or construct a filter to be used
2121           to filter the current capture being viewed.
2122
2123           The Read Filter dialog lets you do all of the editing operations
2124           listed, and also lets you choose or construct a filter to be used
2125           to as a read filter for a capture file you open.
2126
2127           The Search Filter dialog lets you do all of the editing operations
2128           listed, and also lets you choose or construct a filter expression
2129           to be used in a find operation.
2130
2131           In all of those dialogs, the Filter name entry specifies a
2132           descriptive name for a filter, e.g. Web and DNS traffic. The Filter
2133           string entry is the text that actually describes the filtering
2134           action to take, as described above.The dialog buttons perform the
2135           following actions:
2136
2137       New
2138           If there is text in the two entry boxes, creates a new associated
2139           list item.
2140
2141       Edit
2142           Modifies the currently selected list item to match what’s in the
2143           entry boxes.
2144
2145       Delete
2146           Deletes the currently selected list item.
2147
2148       Add Expression...
2149
2150           For display filter expressions, pops up a dialog box to allow you
2151           to construct a filter expression to test a particular field; it
2152           offers lists of field names, and, when appropriate, lists from
2153           which to select tests to perform on the field and values with which
2154           to compare it. In that dialog box, the OK button will cause the
2155           filter expression you constructed to be entered into the Filter
2156           string entry at the current cursor position.
2157
2158       OK
2159
2160           In the Capture Filter dialog, closes the dialog box and makes the
2161           filter in the Filter string entry the filter in the Capture
2162           Preferences dialog. In the Display Filter dialog, closes the dialog
2163           box and makes the filter in the Filter string entry the current
2164           display filter, and applies it to the current capture. In the Read
2165           Filter dialog, closes the dialog box and makes the filter in the
2166           Filter string entry the filter in the Open Capture File dialog. In
2167           the Search Filter dialog, closes the dialog box and makes the
2168           filter in the Filter string entry the filter in the Find Packet
2169           dialog.
2170
2171       Apply
2172           Makes the filter in the Filter string entry the current display
2173           filter, and applies it to the current capture.
2174
2175       Save
2176
2177           If the list of filters being edited is the list of capture filters,
2178           saves the current filter list to the personal capture filters file,
2179           and if the list of filters being edited is the list of display
2180           filters, saves the current filter list to the personal display
2181           filters file.
2182
2183       Close
2184           Closes the dialog without doing anything with the filter in the
2185           Filter string entry.
2186
2187       The Color Filters Dialog
2188           This dialog displays a list of color filters and allows it to be
2189           modified.
2190
2191       THE FILTER LIST
2192
2193           Single rows may be selected by clicking. Multiple rows may be
2194           selected by using the ctrl and shift keys in combination with the
2195           mouse button.
2196
2197       NEW
2198
2199           Adds a new filter at the bottom of the list and opens the Edit
2200           Color Filter dialog box. You will have to alter the filter
2201           expression at least before the filter will be accepted. The format
2202           of color filter expressions is identical to that of display
2203           filters. The new filter is selected, so it may immediately be moved
2204           up and down, deleted or edited. To avoid confusion all filters are
2205           unselected before the new filter is created.
2206
2207       EDIT
2208
2209           Opens the Edit Color Filter dialog box for the selected filter. (If
2210           this button is disabled you may have more than one filter selected,
2211           making it ambiguous which is to be edited.)
2212
2213       ENABLE
2214           Enables the selected color filter(s).
2215
2216       DISABLE
2217           Disables the selected color filter(s).
2218
2219       DELETE
2220           Deletes the selected color filter(s).
2221
2222       EXPORT
2223
2224           Allows you to choose a file in which to save the current list of
2225           color filters. You may also choose to save only the selected
2226           filters. A button is provided to save the filters in the global
2227           color filters file (you must have sufficient permissions to write
2228           this file, of course).
2229
2230       IMPORT
2231
2232           Allows you to choose a file containing color filters which are then
2233           added to the bottom of the current list. All the added filters are
2234           selected, so they may be moved to the correct position in the list
2235           as a group. To avoid confusion, all filters are unselected before
2236           the new filters are imported. A button is provided to load the
2237           filters from the global color filters file.
2238
2239       CLEAR
2240           Deletes your personal color filters file, reloads the global color
2241           filters file, if any, and closes the dialog.
2242
2243       UP
2244           Moves the selected filter(s) up the list, making it more likely
2245           that they will be used to color packets.
2246
2247       DOWN
2248           Moves the selected filter(s) down the list, making it less likely
2249           that they will be used to color packets.
2250
2251       OK
2252           Closes the dialog and uses the color filters as they stand.
2253
2254       APPLY
2255           Colors the packets according to the current list of color filters,
2256           but does not close the dialog.
2257
2258       SAVE
2259
2260           Saves the current list of color filters in your personal color
2261           filters file. Unless you do this they will not be used the next
2262           time you start Wireshark.
2263
2264       CLOSE
2265
2266           Closes the dialog without changing the coloration of the packets.
2267           Note that changes you have made to the current list of color
2268           filters are not undone.
2269
2270       Capture Options Dialog
2271
2272           The Capture Options Dialog lets you specify various parameters for
2273           capturing live packet data.
2274
2275           The Interface: field lets you specify the interface from which to
2276           capture packet data or a command from which to get the packet data
2277           via a pipe.
2278
2279           The Link layer header type: field lets you specify the interfaces
2280           link layer header type. This field is usually disabled, as most
2281           interface have only one header type.
2282
2283           The Capture packets in promiscuous mode check box lets you specify
2284           whether the interface should be put into promiscuous mode when
2285           capturing.
2286
2287           The Limit each packet to ... bytes check box and field lets you
2288           specify a maximum number of bytes per packet to capture and save;
2289           if the check box is not checked, the limit will be 262144 bytes.
2290
2291           The Capture Filter: entry lets you specify the capture filter using
2292           a tcpdump-style filter string as described above.
2293
2294           The File: entry lets you specify the file into which captured
2295           packets should be saved, as in the Printer Options dialog above. If
2296           not specified, the captured packets will be saved in a temporary
2297           file; you can save those packets to a file with the File:Save As
2298           menu item.
2299
2300           The Use multiple files check box lets you specify that the capture
2301           should be done in "multiple files" mode. This option is disabled,
2302           if the Update list of packets in real time option is checked.
2303
2304           The Next file every ... megabyte(s) check box and fields lets you
2305           specify that a switch to a next file should be done if the
2306           specified filesize is reached. You can also select the appropriate
2307           unit, but beware that the filesize has a maximum of 2 GiB. The
2308           check box is forced to be checked, as "multiple files" mode
2309           requires a file size to be specified.
2310
2311           The Next file every ... minute(s) check box and fields lets you
2312           specify that the switch to a next file should be done after the
2313           specified time has elapsed, even if the specified capture size is
2314           not reached.
2315
2316           The Ring buffer with ... files field lets you specify the number of
2317           files of a ring buffer. This feature will capture into the first
2318           file again, after the specified number of files have been used.
2319
2320           The Stop capture after ... files field lets you specify the number
2321           of capture files used, until the capture is stopped.
2322
2323           The Stop capture after ... packet(s) check box and field let you
2324           specify that Wireshark should stop capturing after having captured
2325           some number of packets; if the check box is not checked, Wireshark
2326           will not stop capturing at some fixed number of captured packets.
2327
2328           The Stop capture after ... megabyte(s) check box and field lets you
2329           specify that Wireshark should stop capturing after the file to
2330           which captured packets are being saved grows as large as or larger
2331           than some specified number of megabytes. If the check box is not
2332           checked, Wireshark will not stop capturing at some capture file
2333           size (although the operating system on which Wireshark is running,
2334           or the available disk space, may still limit the maximum size of a
2335           capture file). This option is disabled, if "multiple files" mode is
2336           used,
2337
2338           The Stop capture after ... second(s) check box and field let you
2339           specify that Wireshark should stop capturing after it has been
2340           capturing for some number of seconds; if the check box is not
2341           checked, Wireshark will not stop capturing after some fixed time
2342           has elapsed.
2343
2344           The Update list of packets in real time check box lets you specify
2345           whether the display should be updated as packets are captured and,
2346           if you specify that, the Automatic scrolling in live capture check
2347           box lets you specify the packet list pane should automatically
2348           scroll to show the most recently captured packets as new packets
2349           arrive.
2350
2351           The Enable MAC name resolution, Enable network name resolution and
2352           Enable transport name resolution check boxes let you specify
2353           whether MAC addresses, network addresses, and transport-layer port
2354           numbers should be translated to names.
2355
2356       About
2357           The About dialog lets you view various information about Wireshark.
2358
2359       About  Wireshark
2360
2361           The Wireshark page lets you view general information about
2362           Wireshark, like the installed version, licensing information and
2363           such.
2364
2365       About  Authors
2366           The Authors page shows the author and all contributors.
2367
2368       About  Folders
2369
2370           The Folders page lets you view the directory names where Wireshark
2371           is searching it’s various configuration and other files.
2372
2373       About  Plugins
2374
2375           The Plugins page lets you view the dissector plugin modules
2376           available on your system.
2377
2378           The Plugins List shows the name and version of each dissector
2379           plugin module found on your system.
2380
2381           On Unix-compatible systems, the plugins are looked for in the
2382           following directories: the lib/wireshark/plugins/$VERSION directory
2383           under the main installation directory (for example,
2384           /usr/local/lib/wireshark/plugins/$VERSION), and then
2385           $HOME/.wireshark/plugins.
2386
2387           On Windows systems, the plugins are looked for in the following
2388           directories: plugins\$VERSION directory under the main installation
2389           directory (for example, C:\Program
2390           Files\Wireshark\plugins\$VERSION), and then
2391           %APPDATA%\Wireshark\plugins\$VERSION (or, if %APPDATA% isn’t
2392           defined, %USERPROFILE%\Application
2393           Data\Wireshark\plugins\$VERSION).
2394
2395           $VERSION is the version number of the plugin interface, which is
2396           typically the version number of Wireshark. Note that a dissector
2397           plugin module may support more than one protocol; there is not
2398           necessarily a one-to-one correspondence between dissector plugin
2399           modules and protocols. Protocols supported by a dissector plugin
2400           module are enabled and disabled using the Edit:Protocols dialog
2401           box, just as protocols built into Wireshark are.
2402

CAPTURE FILTER SYNTAX

2404       See the manual page of pcap-filter(7) or, if that doesn’t exist,
2405       tcpdump(8), or, if that doesn’t exist,
2406       https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
2407

DISPLAY FILTER SYNTAX

2409       For a complete table of protocol and protocol fields that are
2410       filterable in Wireshark see the wireshark-filter(4) manual page.
2411

FILES

2413       These files contains various Wireshark configuration settings.
2414
2415       Preferences
2416
2417           The preferences files contain global (system-wide) and personal
2418           preference settings. If the system-wide preference file exists, it
2419           is read first, overriding the default settings. If the personal
2420           preferences file exists, it is read next, overriding any previous
2421           values. Note: If the command line flag -o is used (possibly more
2422           than once), it will in turn override values from the preferences
2423           files.
2424
2425           The preferences settings are in the form prefname:value, one per
2426           line, where prefname is the name of the preference and value is the
2427           value to which it should be set; white space is allowed between :
2428           and value. A preference setting can be continued on subsequent
2429           lines by indenting the continuation lines with white space. A #
2430           character starts a comment that runs to the end of the line:
2431
2432               # Vertical scrollbars should be on right side?
2433               # TRUE or FALSE (case-insensitive).
2434               gui.scrollbar_on_right: TRUE
2435
2436           The global preferences file is looked for in the wireshark
2437           directory under the share subdirectory of the main installation
2438           directory (for example, /usr/local/share/wireshark/preferences) on
2439           UNIX-compatible systems, and in the main installation directory
2440           (for example, C:\Program Files\Wireshark\preferences) on Windows
2441           systems.
2442
2443           The personal preferences file is looked for in
2444           $XDG_CONFIG_HOME/wireshark/preferences (or, if
2445           $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
2446           present, $HOME/.wireshark/preferences) on UNIX-compatible systems
2447           and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn’t
2448           defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
2449           Windows systems.
2450
2451           Note: Whenever the preferences are saved by using the Save button
2452           in the Edit:Preferences dialog box, your personal preferences file
2453           will be overwritten with the new settings, destroying any comments
2454           and unknown/obsolete settings that were in the file.
2455
2456       Recent
2457
2458           The recent file contains personal settings (mostly GUI related)
2459           such as the current Wireshark window size. The file is saved at
2460           program exit and read in at program start automatically. Note: The
2461           command line flag -o may be used to override settings from this
2462           file.
2463
2464           The settings in this file have the same format as in the
2465           preferences files, and the same directory as for the personal
2466           preferences file is used.
2467
2468           Note: Whenever Wireshark is closed, your recent file will be
2469           overwritten with the new settings, destroying any comments and
2470           unknown/obsolete settings that were in the file.
2471
2472       Disabled (Enabled) Protocols
2473
2474           The disabled_protos files contain system-wide and personal lists of
2475           protocols that have been disabled, so that their dissectors are
2476           never called. The files contain protocol names, one per line, where
2477           the protocol name is the same name that would be used in a display
2478           filter for the protocol:
2479
2480               http
2481               tcp     # a comment
2482
2483           If a protocol is listed in the global disabled_protos file, it is
2484           not displayed in the Analyze:Enabled Protocols dialog box, and so
2485           cannot be enabled by the user.
2486
2487           The global disabled_protos file uses the same directory as the
2488           global preferences file.
2489
2490           The personal disabled_protos file uses the same directory as the
2491           personal preferences file.
2492
2493           Note: Whenever the disabled protocols list is saved by using the
2494           Save button in the Analyze:Enabled Protocols dialog box, your
2495           personal disabled protocols file will be overwritten with the new
2496           settings, destroying any comments that were in the file.
2497
2498       Name Resolution (hosts)
2499
2500           If the personal hosts file exists, it is used to resolve IPv4 and
2501           IPv6 addresses before any other attempts are made to resolve them.
2502           The file has the standard hosts file syntax; each line contains one
2503           IP address and name, separated by whitespace. The same directory as
2504           for the personal preferences file is used.
2505
2506           Capture filter name resolution is handled by libpcap on
2507           UNIX-compatible systems and WinPcap on Windows. As such the
2508           Wireshark personal hosts file will not be consulted for capture
2509           filter name resolution.
2510
2511       Name Resolution (subnets)
2512
2513           If an IPv4 address cannot be translated via name resolution (no
2514           exact match is found) then a partial match is attempted via the
2515           subnets file. Both the global subnets file and personal subnets
2516           files are used if they exist.
2517
2518           Each line of this file consists of an IPv4 address, a subnet mask
2519           length separated only by a / and a name separated by whitespace.
2520           While the address must be a full IPv4 address, any values beyond
2521           the mask length are subsequently ignored.
2522
2523           An example is:
2524
2525           # Comments must be prepended by the # sign! 192.168.0.0/24
2526           ws_test_network
2527
2528           A partially matched name will be printed as
2529           "subnet-name.remaining-address". For example, "192.168.0.1" under
2530           the subnet above would be printed as "ws_test_network.1"; if the
2531           mask length above had been 16 rather than 24, the printed address
2532           would be "ws_test_network.0.1".
2533
2534       Name Resolution (ethers)
2535
2536           The ethers files are consulted to correlate 6-byte hardware
2537           addresses to names. First the personal ethers file is tried and if
2538           an address is not found there the global ethers file is tried next.
2539
2540           Each line contains one hardware address and name, separated by
2541           whitespace. The digits of the hardware address are separated by
2542           colons (:), dashes (-) or periods (.). The same separator character
2543           must be used consistently in an address. The following three lines
2544           are valid lines of an ethers file:
2545
2546               ff:ff:ff:ff:ff:ff          Broadcast
2547               c0-00-ff-ff-ff-ff          TR_broadcast
2548               00.00.00.00.00.00          Zero_broadcast
2549
2550           The global ethers file is looked for in the /etc directory on
2551           UNIX-compatible systems, and in the main installation directory
2552           (for example, C:\Program Files\Wireshark) on Windows systems.
2553
2554           The personal ethers file is looked for in the same directory as the
2555           personal preferences file.
2556
2557           Capture filter name resolution is handled by libpcap on
2558           UNIX-compatible systems and WinPcap on Windows. As such the
2559           Wireshark personal ethers file will not be consulted for capture
2560           filter name resolution.
2561
2562       Name Resolution (manuf)
2563
2564           The manuf file is used to match the 3-byte vendor portion of a
2565           6-byte hardware address with the manufacturer’s name; it can also
2566           contain well-known MAC addresses and address ranges specified with
2567           a netmask. The format of the file is the same as the ethers files,
2568           except that entries such as:
2569
2570               00:00:0C      Cisco
2571
2572           can be provided, with the 3-byte OUI and the name for a vendor, and
2573           entries such as:
2574
2575               00-00-0C-07-AC/40     All-HSRP-routers
2576
2577           can be specified, with a MAC address and a mask indicating how many
2578           bits of the address must match. The above entry, for example, has
2579           40 significant bits, or 5 bytes, and would match addresses from
2580           00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
2581           multiple of 8.
2582
2583           The manuf file is looked for in the same directory as the global
2584           preferences file.
2585
2586       Name Resolution (services)
2587
2588           The services file is used to translate port numbers into names.
2589           Both the global services file and personal services files are used
2590           if they exist.
2591
2592           The file has the standard services file syntax; each line contains
2593           one (service) name and one transport identifier separated by white
2594           space. The transport identifier includes one port number and one
2595           transport protocol name (typically tcp, udp, or sctp) separated by
2596           a /.
2597
2598           An example is:
2599
2600           mydns       5045/udp     # My own Domain Name Server mydns
2601           5045/tcp     # My own Domain Name Server
2602
2603       Name Resolution (ipxnets)
2604
2605           The ipxnets files are used to correlate 4-byte IPX network numbers
2606           to names. First the global ipxnets file is tried and if that
2607           address is not found there the personal one is tried next.
2608
2609           The format is the same as the ethers file, except that each address
2610           is four bytes instead of six. Additionally, the address can be
2611           represented as a single hexadecimal number, as is more common in
2612           the IPX world, rather than four hex octets. For example, these four
2613           lines are valid lines of an ipxnets file:
2614
2615               C0.A8.2C.00              HR
2616               c0-a8-1c-00              CEO
2617               00:00:BE:EF              IT_Server1
2618               110f                     FileServer3
2619
2620           The global ipxnets file is looked for in the /etc directory on
2621           UNIX-compatible systems, and in the main installation directory
2622           (for example, C:\Program Files\Wireshark) on Windows systems.
2623
2624           The personal ipxnets file is looked for in the same directory as
2625           the personal preferences file.
2626
2627       Capture Filters
2628
2629           The cfilters files contain system-wide and personal capture
2630           filters. Each line contains one filter, starting with the string
2631           displayed in the dialog box in quotation marks, followed by the
2632           filter string itself:
2633
2634               "HTTP" port 80
2635               "DCERPC" port 135
2636
2637           The global cfilters file uses the same directory as the global
2638           preferences file.
2639
2640           The personal cfilters file uses the same directory as the personal
2641           preferences file. It is written through the Capture:Capture Filters
2642           dialog.
2643
2644           If the global cfilters file exists, it is used only if the personal
2645           cfilters file does not exist; global and personal capture filters
2646           are not merged.
2647
2648       Display Filters
2649
2650           The dfilters files contain system-wide and personal display
2651           filters. Each line contains one filter, starting with the string
2652           displayed in the dialog box in quotation marks, followed by the
2653           filter string itself:
2654
2655               "HTTP" http
2656               "DCERPC" dcerpc
2657
2658           The global dfilters file uses the same directory as the global
2659           preferences file.
2660
2661           The personal dfilters file uses the same directory as the personal
2662           preferences file. It is written through the Analyze:Display Filters
2663           dialog.
2664
2665           If the global dfilters file exists, it is used only if the personal
2666           dfilters file does not exist; global and personal display filters
2667           are not merged.
2668
2669       Color Filters (Coloring Rules)
2670
2671           The colorfilters files contain system-wide and personal color
2672           filters. Each line contains one filter, starting with the string
2673           displayed in the dialog box, followed by the corresponding display
2674           filter. Then the background and foreground colors are appended:
2675
2676               # a comment
2677               @tcp@tcp@[59345,58980,65534][0,0,0]
2678               @udp@udp@[28834,57427,65533][0,0,0]
2679
2680           The global colorfilters file uses the same directory as the global
2681           preferences file.
2682
2683           The personal colorfilters file uses the same directory as the
2684           personal preferences file. It is written through the View:Coloring
2685           Rules dialog.
2686
2687           If the global colorfilters file exists, it is used only if the
2688           personal colorfilters file does not exist; global and personal
2689           color filters are not merged.
2690
2691       Plugins
2692
2693           See above in the description of the About:Plugins page.
2694

ENVIRONMENT VARIABLES

2696       WIRESHARK_CONFIG_DIR
2697
2698           This environment variable overrides the location of personal
2699           configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
2700           $HOME/.wireshark if the former is missing while the latter exists).
2701           On Windows, %APPDATA%\Wireshark is used instead. Available since
2702           Wireshark 3.0.
2703
2704       WIRESHARK_DEBUG_WMEM_OVERRIDE
2705
2706           Setting this environment variable forces the wmem framework to use
2707           the specified allocator backend for all allocations, regardless of
2708           which backend is normally specified by the code. This is mainly
2709           useful to developers when testing or debugging. See README.wmem in
2710           the source distribution for details.
2711
2712       WIRESHARK_RUN_FROM_BUILD_DIRECTORY
2713
2714           This environment variable causes the plugins and other data files
2715           to be loaded from the build directory (where the program was
2716           compiled) rather than from the standard locations. It has no effect
2717           when the program in question is running with root (or setuid)
2718           permissions on *NIX.
2719
2720       WIRESHARK_DATA_DIR
2721
2722           This environment variable causes the various data files to be
2723           loaded from a directory other than the standard locations. It has
2724           no effect when the program in question is running with root (or
2725           setuid) permissions on *NIX.
2726
2727       ERF_RECORDS_TO_CHECK
2728
2729           This environment variable controls the number of ERF records
2730           checked when deciding if a file really is in the ERF format.
2731           Setting this environment variable a number higher than the default
2732           (20) would make false positives less likely.
2733
2734       IPFIX_RECORDS_TO_CHECK
2735
2736           This environment variable controls the number of IPFIX records
2737           checked when deciding if a file really is in the IPFIX format.
2738           Setting this environment variable a number higher than the default
2739           (20) would make false positives less likely.
2740
2741       WIRESHARK_ABORT_ON_DISSECTOR_BUG
2742
2743           If this environment variable is set, Wireshark will call abort(3)
2744           when a dissector bug is encountered. abort(3) will cause the
2745           program to exit abnormally; if you are running Wireshark in a
2746           debugger, it should halt in the debugger and allow inspection of
2747           the process, and, if you are not running it in a debugger, it will,
2748           on some OSes, assuming your environment is configured correctly,
2749           generate a core dump file. This can be useful to developers
2750           attempting to troubleshoot a problem with a protocol dissector.
2751
2752       WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
2753
2754           If this environment variable is set, Wireshark will call abort(3)
2755           if a dissector tries to add too many items to a tree (generally
2756           this is an indication of the dissector not breaking out of a loop
2757           soon enough). abort(3) will cause the program to exit abnormally;
2758           if you are running Wireshark in a debugger, it should halt in the
2759           debugger and allow inspection of the process, and, if you are not
2760           running it in a debugger, it will, on some OSes, assuming your
2761           environment is configured correctly, generate a core dump file.
2762           This can be useful to developers attempting to troubleshoot a
2763           problem with a protocol dissector.
2764
2765       WIRESHARK_QUIT_AFTER_CAPTURE
2766
2767           Cause Wireshark to exit after the end of the capture session. This
2768           doesn’t automatically start a capture; you must still use -k to do
2769           that. You must also specify an autostop condition, e.g. -c or -a
2770           duration:.... This means that you will not be able to see the
2771           results of the capture after it stops; it’s primarily useful for
2772           testing.
2773
2774       WIRESHARK_LOG_LEVEL
2775
2776           This environment variable controls the verbosity of diagnostic
2777           messages to the console. From less verbose to most verbose levels
2778           can be critical, warning, message, info, debug or noisy. Levels
2779           above the current level are also active. Levels critical and error
2780           are always active.
2781
2782       WIRESHARK_LOG_FATAL
2783
2784           Sets the fatal log level. Fatal log levels cause the program to
2785           abort. This level can be set to Error, critical or warning. Error
2786           is always fatal and is the default.
2787
2788       WIRESHARK_LOG_DOMAINS
2789
2790           This environment variable selects which log domains are active. The
2791           filter is given as a case-insensitive comma separated list. If set
2792           only the included domains will be enabled. The default domain is
2793           always considered to be enabled. Domain filter lists can be
2794           preceded by '!' to invert the sense of the match.
2795
2796       WIRESHARK_LOG_DEBUG
2797
2798           List of domains with debug log level. This sets the level of the
2799           provided log domains and takes precedence over the active domains
2800           filter. If preceded by '!' this disables the debug level instead.
2801
2802       WIRESHARK_LOG_NOISY
2803
2804           Same as above but for noisy log level instead.
2805

AUTHORS

2807       Wireshark would not be the powerful, featureful application it is
2808       without the generous contributions of hundreds of developers.
2809
2810       A complete list of authors can be found in the AUTHORS file in
2811       Wireshark’s source code repository and at
2812       https://www.wireshark.org/about.html#authors.
2813

SEE ALSO

2815       wireshark-filter(4), tshark(1), editcap(1), pcap(3), dumpcap(1),
2816       mergecap(1), text2pcap(1), pcap-filter(7) or tcpdump(8)
2817

NOTES

2819       This is the manual page for Wireshark 4.0.8. The latest version of
2820       Wireshark can be found at https://www.wireshark.org.
2821
2822       HTML versions of the Wireshark project man pages are available at
2823       https://www.wireshark.org/docs/man-pages.
2824
2825
2826
2827                                  2023-08-31                      WIRESHARK(1)
Impressum